apostrophe 4.1.1 → 4.2.0

package/modules/@apostrophecms/user/index.js

@@ -34,7 +34,7 @@
 // their preferred language for the admin UI. It will be added only if
 // @apostrophecms/i18n is configured with `adminLocales`.
 
-const credentials = require('credentials');
+const passwordHash = require('./lib/password-hash.js');
 const prompts = require('prompts');
 
 module.exports = {
@@ -52,7 +52,20 @@ module.exports = {
     publishRole: 'admin',
     viewRole: 'admin',
     showPermissions: true,
-    relationshipSuggestionIcon: 'account-box-icon'
+    relationshipSuggestionIcon: 'account-box-icon',
+    scrypt: {
+      // These are the defaults. If you choose to pass
+      // this option, you can pass one or more new values.
+      // "cost" must be a power of 2. See:
+      //
+      // https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback
+      //
+      // Do not pass maxmem, it is calculated automatically.
+      //
+      // cost: 131072,
+      // parallelization: 1,
+      // blockSize: 8
+    }
   },
   fields(self, options) {
     const fields = {};
@@ -426,11 +439,11 @@ module.exports = {
       // in `options.secrets` when configuring this module or via
       // `addSecrets` are not stored as plaintext and are not kept in the
       // aposDocs collection. Instead, they are hashed and salted using the
-      // `credential` module and the resulting hash is stored
+      // the same algorithm applied to passwords and the resulting hash is stored
       // in a separate `aposUsersSafe` collection. This method
       // can be used to verify that `attempt` matches the
       // previously hashed value for the property named `secret`,
-      // without ever storing the actual value of the secret
+      // without ever storing the actual value of the secret.
       //
       // If the secret does not match, an `invalid` error is thrown.
       // Otherwise the method returns normally.
@@ -440,10 +453,20 @@ module.exports = {
         if (!safeUser) {
           throw new Error('No such user in the safe.');
         }
-
-        const isVerified = await self.pw.verify(migrate(safeUser[secret + 'Hash']), attempt);
+        const key = secret + 'Hash';
+        const isVerified = await self.pw.verify(migrate(safeUser[key]), attempt);
 
         if (isVerified) {
+          if ((typeof isVerified) === 'string') {
+            // "verify" updated the hash, store the new one
+            const $set = {};
+            $set[key] = isVerified;
+            await self.safe.updateOne({
+              _id: user._id
+            }, {
+              $set
+            });
+          }
           return null;
         } else {
           throw self.apos.error('invalid', `Incorrect ${secret}`);
@@ -452,8 +475,9 @@ module.exports = {
         function migrate(json) {
           const data = JSON.parse(json);
 
-          // Do not re-encode salt generated by credentials@3
-          if (data.credentials3) {
+          // * Do not re-encode legacy salt generated by credentials@3
+          // * Do not alter salts not generated by the credentials module
+          if (data.credentials3 || (data.hashMethod !== 'pbkdf2')) {
             return json;
           }
 
@@ -477,13 +501,15 @@ module.exports = {
         await self.safe.updateOne({ _id: user._id }, changes);
       },
 
-      // Initialize the [credential](https://npmjs.org/package/credential) module.
+      // Initialize password hashing system. Name is for
+      // legacy reasons
+
       initializeCredential() {
-        self.pw = credentials({
-          // For efficient unit tests only. Reducing the work factor
-          // for actual credentials increases the speed of brute force attacks
-          // if the database is ever compromised
-          work: self.options.insecurePasswords ? 0.01 : 1
+        self.pw = passwordHash({
+          error(s) {
+            return self.apos.error('invalid', s);
+          },
+          scrypt: self.options.scrypt
         });
       },
 

package/modules/@apostrophecms/user/lib/password-hash.js

@@ -0,0 +1,122 @@
+// Password hashing based on scrypt, per:
+// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+//
+// Also includes legacy support for pbkdf2 passwords.
+//
+// Adapted from the "credential" and "credentials" modules,
+// which were also released under the MIT license.
+
+const util = require('util');
+const crypto = require('crypto');
+
+const scrypt = util.promisify(crypto.scrypt);
+const pbkdf2 = util.promisify(crypto.pbkdf2);
+const randomBytes = util.promisify(crypto.randomBytes);
+const timingSafeEqual = crypto.timingSafeEqual;
+
+function getScryptOptions(options) {
+  const result = {
+    cost: 131072,
+    parallelization: 1,
+    blockSize: 8,
+    ...options
+  };
+  // Per https://github.com/nodejs/node/issues/21524
+  // Without this the parameters are rejected as soon as we
+  // exceed the default cost of 16384
+  result.maxmem = 128 * result.parallelization * result.blockSize + 128 * (2 + result.cost) * result.blockSize;
+  return result;
+}
+
+configure.hash = hash;
+configure.verify = verify;
+
+module.exports = configure;
+
+function configure(opts) {
+  opts = {
+    keyLength: 64,
+    ...opts,
+    scrypt: getScryptOptions(opts.scrypt)
+  };
+  return {
+    hash: password => hash(password, opts),
+    verify: (stored, input) => verify(stored, input, opts)
+  };
+}
+
+async function hash(password, opts) {
+  const { keyLength } = opts;
+
+  if (typeof password !== 'string' || password.length === 0) {
+    throw opts.error('Password must be a non-empty string.');
+  }
+
+  const salt = await randomBytes(keyLength);
+  const hash = await scrypt(password, salt, keyLength, opts.scrypt);
+
+  return JSON.stringify({
+    hashMethod: 'scrypt',
+    salt: salt.toString('base64'),
+    hash: hash.toString('base64'),
+    keyLength,
+    scrypt: opts.scrypt
+  });
+}
+
+async function verify(stored, input, opts) {
+  const parsed = parse(stored);
+
+  const {
+    hashMethod, keyLength, salt, hash: hashA
+  } = parse(stored);
+
+  if (typeof input !== 'string' || input.length === 0) {
+    throw opts.error('Input password must be a non-empty string.');
+  }
+  if (!hashMethod) {
+    throw opts.error('Couldn\'t parse stored hash.');
+  }
+  let hashB;
+  if (hashMethod === 'scrypt') {
+    // Use scrypt as a more modern but also safely portable
+    // solution in Node.js
+    const { scrypt: scryptOptions } = parsed;
+    // Calculate maxmem to make sure we still have the resources
+    // if this password was hashed with a higher cost factor
+    // than the one we are using for new passwords
+    hashB = await scrypt(input, salt, keyLength, getScryptOptions(scryptOptions));
+  } else {
+    // Support existing pbkdf2 hashes from credentials module
+    const { iterations } = parsed;
+    const dfn = hashMethod.slice(0, 6);
+    const hfn = hashMethod.slice(7) || 'sha1';
+    if (dfn !== 'pbkdf2') {
+      throw opts.error('Unsupported key derivation function');
+    }
+    if (![ 'sha1', 'sha512' ].includes(hfn)) {
+      throw opts.error('Unsupported hash function');
+    }
+    hashB = await pbkdf2(input, salt, iterations, keyLength, hfn);
+  }
+  const equal = timingSafeEqual(hashA, hashB);
+  if (equal && (hashMethod !== 'scrypt')) {
+    // Modernize legacy hashes on next login
+    return hash(input, opts);
+  } else {
+    return equal;
+  }
+}
+
+function parse(stored) {
+  try {
+    const parsed = JSON.parse(stored);
+    return {
+      ...parsed,
+      salt: Buffer.from(parsed.salt, 'base64'),
+      hash: Buffer.from(parsed.hash, 'base64')
+    };
+  } catch (err) {
+    return {};
+  }
+}

package/modules/@apostrophecms/util/ui/src/http.js

@@ -99,6 +99,9 @@ export default () => {
         throw new Error('If you wish to receive a promise from apos.http methods in older browsers you must have a Promise polyfill. If you do not want to provide one, pass a callback instead.');
       }
       return new window.Promise(function(resolve, reject) {
+        if (!url) {
+          return reject(new Error('url is not defined'));
+        }
         return apos.http.remote(method, url, options, function(err, result) {
           if (err) {
             return reject(err);
@@ -108,6 +111,10 @@ export default () => {
       });
     }
 
+    if (!url) {
+      return callback(new Error('url is not defined'));
+    }
+
     if (apos.prefix && options.prefix !== false) {
       // Prepend the prefix if the URL is absolute:
       if (url.substring(0, 1) === '/') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "4.1.1",
+  "version": "4.2.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -31,6 +31,7 @@
   "author": "Apostrophe Technologies, Inc.",
   "license": "MIT",
   "dependencies": {
+    "@apostrophecms/emulate-mongo-3-driver": "^1.0.2",
     "@apostrophecms/vue-material-design-icons": "^1.0.0",
     "@ckpack/vue-color": "^1.4.1",
     "@floating-ui/dom": "^1.5.3",
@@ -51,7 +52,6 @@
     "@tiptap/extension-underline": "^2.0.3",
     "@tiptap/starter-kit": "^2.0.3",
     "@tiptap/vue-3": "^2.0.3",
-    "@vue/compat": "^3.3.8",
     "@vue/compiler-sfc": "^3.3.8",
     "autoprefixer": "^10.4.1",
     "bluebird": "^3.7.2",
@@ -61,11 +61,10 @@
     "cheerio": "^1.0.0-rc.10",
     "chokidar": "^3.5.2",
     "common-tags": "^1.8.0",
-    "connect-mongo": "^3.0.0",
+    "connect-mongo": "^5.1.0",
     "connect-multiparty": "^2.1.1",
     "cookie-parser": "^1.4.5",
     "cors": "^2.8.5",
-    "credentials": "^3.0.2",
     "css-loader": "^5.2.4",
     "cuid": "^2.1.8",
     "dayjs": "^1.9.8",
@@ -91,7 +90,6 @@
     "mini-css-extract-plugin": "^1.6.0",
     "minimatch": "^3.0.4",
     "mkdirp": "^0.5.5",
-    "mongodb": "^3.6.6",
     "node-fetch": "^2.6.1",
     "nodemailer": "^6.6.1",
     "nunjucks": "^3.2.1",

package/test/docs.js

@@ -1047,6 +1047,157 @@ describe('Docs', function() {
     assert(response.cacheInvalidatedAt.getTime() === response.updatedAt.getTime());
     assert(draft.cacheInvalidatedAt.getTime() === draft.updatedAt.getTime());
   });
+
+  describe('beforeInsert handler', function() {
+    it('should rely on req.mode when inserting a doc without _id', async function() {
+      const req = apos.task.getReq();
+      const draftReq = apos.task.getReq({ mode: 'draft' });
+      const people = apos.modules['test-people'];
+      const instance = people.newInstance();
+
+      const piece1 = {
+        ...instance,
+        title: 'piece 1'
+      };
+
+      const piece2 = {
+        ...instance,
+        title: 'piece 2'
+      };
+
+      const pieceDraft = await people.insert(draftReq, piece1);
+      const piecePublished = await people.insert(req, piece2);
+
+      const actual = {
+        draft: {
+          idMode: pieceDraft._id.split(':').pop(),
+          aposLocale: pieceDraft.aposLocale,
+          aposMode: pieceDraft.aposMode
+        },
+        published: {
+          idMode: piecePublished._id.split(':').pop(),
+          aposLocale: piecePublished.aposLocale,
+          aposMode: piecePublished.aposMode
+        }
+      };
+
+      const expected = {
+        draft: {
+          idMode: 'draft',
+          aposLocale: 'en:draft',
+          aposMode: 'draft'
+        },
+        published: {
+          idMode: 'published',
+          aposLocale: 'en:published',
+          aposMode: 'published'
+        }
+      };
+
+      assert.deepEqual(actual, expected);
+    });
+
+    it('should rely on _id when present for aposMode and aposLocale even if req.mode does not match', async function() {
+      const req = apos.task.getReq();
+      const draftReq = apos.task.getReq({ mode: 'draft' });
+      const people = apos.modules['test-people'];
+      const instance = people.newInstance();
+
+      const piece1 = {
+        _id: 'testid:en:draft',
+        ...instance,
+        title: 'piece 1'
+      };
+
+      const piece2 = {
+        _id: 'testid:en:published',
+        ...instance,
+        title: 'piece 2'
+      };
+
+      const pieceDraft = await people.insert(req, piece1);
+      const piecePublished = await people.insert(draftReq, piece2);
+
+      const actual = {
+        draft: {
+          idMode: pieceDraft._id.split(':').pop(),
+          aposLocale: pieceDraft.aposLocale,
+          aposMode: pieceDraft.aposMode
+        },
+        published: {
+          idMode: piecePublished._id.split(':').pop(),
+          aposLocale: piecePublished.aposLocale,
+          aposMode: piecePublished.aposMode
+        }
+      };
+
+      const expected = {
+        draft: {
+          idMode: 'draft',
+          aposLocale: 'en:draft',
+          aposMode: 'draft'
+        },
+        published: {
+          idMode: 'published',
+          aposLocale: 'en:published',
+          aposMode: 'published'
+        }
+      };
+
+      assert.deepEqual(actual, expected);
+    });
+
+    it('should rely on aposMode when present for _id and aposLocale even if req.mode does not match', async function() {
+      const req = apos.task.getReq();
+      const draftReq = apos.task.getReq({ mode: 'draft' });
+      const people = apos.modules['test-people'];
+      const instance = people.newInstance();
+
+      const piece1 = {
+        ...instance,
+        title: 'piece 1',
+        aposLocale: 'en:draft'
+      };
+
+      const piece2 = {
+        ...instance,
+        title: 'piece 2',
+        aposLocale: 'en:published'
+      };
+
+      const pieceDraft = await people.insert(req, piece1);
+      const piecePublished = await people.insert(draftReq, piece2);
+
+      const actual = {
+        draft: {
+          idMode: pieceDraft._id.split(':').pop(),
+          aposLocale: pieceDraft.aposLocale,
+          aposMode: pieceDraft.aposMode
+        },
+        published: {
+          idMode: piecePublished._id.split(':').pop(),
+          aposLocale: piecePublished.aposLocale,
+          aposMode: piecePublished.aposMode
+        }
+      };
+
+      const expected = {
+        draft: {
+          idMode: 'draft',
+          aposLocale: 'en:draft',
+          aposMode: 'draft'
+        },
+        published: {
+          idMode: 'published',
+          aposLocale: 'en:published',
+          aposMode: 'published'
+        }
+      };
+
+      assert.deepEqual(actual, expected);
+    });
+  });
+
 });
 
 async function insertPeople(apos) {

package/test/password-hash.js

@@ -0,0 +1,56 @@
+const assert = require('assert');
+const passwordHash = require('../modules/@apostrophecms/user/lib/password-hash.js');
+
+const legacyHash = '{"hashMethod":"pbkdf2-sha512","salt":"JEB7TX4iOky4kWy+1xsGlN0u7GpEtEoUxmRzaf0Oi35A5j9ynYZfT1Lk4JofBz5nbAHD4HoMqQnevltTLd4Hbw==","hash":"aFM6axOnaPiwNGly7NsfYEvFHEv1ML4lNyi2nEz95tudK1/M1PUlMbtxujZ+W1Gv8Q2mHh7KnL6Ql94OOL8S0g==","keyLength":64,"iterations":4449149,"credentials3":true}';
+
+describe('password-hash', function() {
+  it('can hash a password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(hash);
+  });
+  it('can verify a correct password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(await instance.verify(hash, 'test one'));
+  });
+  it('cannot verify an incorrect password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(!await instance.verify(hash, 'test two'));
+  });
+  it('hash does not contain password and uses scrypt with parameters', async function() {
+    const instance = getInstance();
+    const hash = JSON.parse(await instance.hash('test one'));
+    assert(!JSON.stringify(hash).includes('test one'));
+    assert.strictEqual(hash.hashMethod, 'scrypt');
+    assert(hash.scrypt);
+    assert.strictEqual(hash.scrypt.cost, 131072);
+    assert.strictEqual(hash.scrypt.blockSize, 8);
+    assert.strictEqual(hash.scrypt.parallelization, 1);
+  });
+  it('can verify and modernize a legacy pbkdf2 password hash', async function() {
+    this.timeout(10000);
+    const instance = getInstance();
+    const hash = await instance.verify(legacyHash, 'test-password');
+    assert(hash);
+    assert.strictEqual(typeof hash, 'string');
+    const data = JSON.parse(hash);
+    assert.strictEqual(data.hashMethod, 'scrypt');
+    assert.strictEqual(await instance.verify(hash, 'test-password'), true);
+    assert.strictEqual(await instance.verify(hash, 'bogus-password'), false);
+  });
+  it('can reject a bad password for a legacy pbkdf2 hash', async function() {
+    this.timeout(10000);
+    const instance = getInstance();
+    assert(!await instance.verify(legacyHash, 'bad-password'));
+  });
+});
+
+function getInstance() {
+  return passwordHash({
+    error(s) {
+      return new Error(s);
+    }
+  });
+}

package/test/users.js

@@ -99,7 +99,7 @@ describe('Users', function() {
     }
   });
 
-  it('should verify a user password created with former credential package', async function() {
+  it('should verify a user password created with former credential package and also upgrade the hash', async function() {
     const req = apos.task.getReq();
     const user = apos.user.newInstance();
 
@@ -115,9 +115,25 @@ describe('Users', function() {
     const oldPasswordHashSimulated =
       '{"hash":"/1GntJjtkMY1iPmQY1gn9f3bOZ5tb2qFL+x4qsDerZq2JL8+12TERR4/xqh246wBb+QJwwIRsF/6E+eccshsLxT/","salt":"GJHukLNaG6xDgdIpxVOpqV7xQLQM7e5xnhDW7oaUOe7mTicr7Ca76M4uUJalN/cQ68CE9O7yXZ5WJOz4RN/udcX0","keyLength":66,"hashMethod":"pbkdf2","iterations":2853053}';
 
-    await apos.user.safe.update({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } });
+    await apos.user.safe.updateOne({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } });
     await apos.user.verifyPassword(user, 'passwordThatWentThroughOldCredentialPackageHashing');
-    await apos.user.safe.remove({ username: 'olduser' });
+
+    // verifyPassword now upgrades legacy hashes on next use, e.g.
+    // the next time it is possible because the password is known
+    const newHash = JSON.parse((await apos.user.safe.findOne({
+      username: 'olduser'
+    })).passwordHash);
+    assert.strictEqual(newHash.hashMethod, 'scrypt');
+    // Confirm the modernized end result is still verifiable with the old password
+    await apos.user.verifyPassword(user, 'passwordThatWentThroughOldCredentialPackageHashing');
+    try {
+      // ... And not with a bogus one
+      await apos.user.verifyPassword(user, 'bogus');
+      assert(false);
+    } catch (e) {
+      // Good
+    }
+    await apos.user.safe.removeOne({ username: 'olduser' });
   });
 
   it('should not be able to insert a new user if their email already exists', async function() {

package/.github/workflows/outdated-dependencies.yml

@@ -1,43 +0,0 @@
-name: Check outdated dependencies
-on:
-  schedule:
-    # Runs every Monday at 8:00
-    - cron: "0 8 * * MON"
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  check_outdated_dependencies:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Git checkout
-        uses: actions/checkout@v2
-      - name: Use Node.js 18
-        uses: actions/setup-node@v1
-        with:
-          node-version: 18
-      - name: Install dependencies
-        run: npm install
-      - name: Check outdated dependencies
-        run: |
-          echo "$(npm outdated)" > output
-          npm outdated
-      - name: Report Status
-        if: failure()
-        run: |
-          outdated_dependencies=$(cat output)
-
-          repo="${{ github.repository }}"
-          repo_url="${{ github.server_url }}/$repo"
-          run_url="$repo_url/actions/runs/${{ github.run_id }}"
-
-          text="ℹ️ The <$repo_url|$repo> project has outdated dependencies:
-          \`\`\`
-          $outdated_dependencies
-          \`\`\`
-          <$run_url|View Run>"
-
-          payload="{\"text\": \"$text\"}"
-          curl -X POST -H 'Content-type: application/json' --data "$payload" $SLACK_WEBHOOK_URL
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }}

package/modules/@apostrophecms/modal/ui/apos/mixins/AposFocusMixin.js

@@ -1,91 +0,0 @@
-/*
- * Provides:
- *
- * Methods to handle focus with keyboard.
- */
-export default {
-  data() {
-    return {
-      elementsToFocus: [],
-
-      // specific to modals:
-      focusedElement: null
-    };
-  },
-  methods: {
-    // Adapted from https://uxdesign.cc/how-to-trap-focus-inside-modal-to-make-it-ada-compliant-6a50f9a70700
-    // All the elements inside modal which you want to make focusable.
-    //
-    // This has been adapted to Vue logic with `this.elementsToFocus` array as a data
-    // so that any elements, not only from a modal but a menu for instance, can be focusable.
-    // `cycleElementsToFocus` listeners relies on this dynamic list which has the advantage of
-    // taking new or less elements to focus, after an update has happened inside a modal,
-    // like an XHR call to get the pieces list in the AposDocsManager modal, for instance.
-    cycleElementsToFocus(e) {
-      if (!this.elementsToFocus.length) {
-        return;
-      }
-
-      const isTabPressed = e.key === 'Tab' || e.code === 'Tab';
-      if (!isTabPressed) {
-        return;
-      }
-
-      const firstElementToFocus = this.elementsToFocus.at(0);
-      const lastElementToFocus = this.elementsToFocus.at(-1);
-
-      // If shift key pressed for shift + tab combination
-      if (e.shiftKey) {
-        if (document.activeElement === firstElementToFocus) {
-          // Add focus for the last focusable element
-          lastElementToFocus.focus();
-          e.preventDefault();
-        }
-        return;
-      }
-
-      // If tab key is pressed
-      if (document.activeElement === lastElementToFocus) {
-        // Add focus for the first focusable element
-        firstElementToFocus.focus();
-        e.preventDefault();
-      }
-    },
-    // Focus the last focused element from the last modal.
-    // If it is not focusable (not visible/not in the DOM),
-    // fallbacks to the first focusable element from the last modal.
-    focusLastModalFocusedElement() {
-      const lastModal = apos.modal.stack.at(-1);
-
-      if (!lastModal) {
-        return;
-      }
-
-      const { focusedElement, elementsToFocus } = lastModal;
-
-      this.focusElement(focusedElement, elementsToFocus[0]);
-    },
-    storeFocusedElement(e) {
-      this.focusedElement = e.target;
-    },
-    // Iterate through elements given in arguments and
-    // focus the first element that exists in the DOM.
-    focusElement(...elementsToFocus) {
-      for (const element of elementsToFocus) {
-        const isAlreadySelected = document.activeElement === element;
-
-        if (!element || !this.isElementVisible(element)) {
-          continue;
-        }
-        if (!isAlreadySelected) {
-          element.focus();
-        }
-        // Element exists in the DOM and is focused, stop iterating.
-        return;
-      }
-    },
-    isElementVisible(element) {
-      return element.offsetParent !== null;
-    }
-  }
-};